- The US is at great risk from terrorist manipulation of the intangible bits and bytes of cyberspace. US military institutions are already preparing for cyberspace terrorism and warfare by educating cadets in information assurance.In January 2000, the US Military Academy at West Point created an information assurance course that centers on a competitive, hands-on defensive project: protect a real network from real attack.This project forced the cadets to pull together what they know theoretically and apply it to a real network under attack without risking the damage that mistakes would cause on a live network.The authors encourage other organizations to follow their lead by conducting similar competitive exercises.

- This article addresses a key issue in security: how to inspire trust by disclosing security properties of software components to others in a component-based software development environment. The authors introduce a component security characterization framework in this endeavor that characterizes security properties by exposing software security profiles to others. The active interface lets software engineers know up front the impact of security properties of a composition's candidate components.

- Most organizations recognize the importance of cyber security and are implementing various forms of protection. However, many are failing to find and fix known security problems in the software packages they use as the building blocks of their networks and systems, a vulnerability that a hacker can exploit to by-pass all other efforts to secure the enterprise. The Common Vulnerabilities and Exposures initiative seeks to avoid such disasters and transform this area from a liability to a key asset in the fight to build and maintain secure systems. Coordinating international, community-based efforts from industry, government, and academia, CVE strives to find and fix software product vulnerabilities more rapidly, predictably, and efficiently. The initiative seeks the adoption of a common naming practice for describing software vulnerabilities. Once adopted, these names will be included within security tools and services and on the fix sites of commercial and open source software package providers. As vendors respond to more user requests for CVE-compatible fix sites, securing the enterprise will gradually include the complete cycle of finding, analyzing, and fixing vulnerabilities.

- Most commercial software producers guard access to the source code of their systems, making it difficult for anyone outside their organizations to apply a variety of measures that could potentially improve system security. But since an attacker could also examine public source code to find flaws, would source code access be a net gain or loss for security? The question goes beyond the technical issues involved because publishing source code reveals intellectual property and therefore affects the producer's business model. We consider this question from several perspectives and tentatively conclude that having source code available should on balance work in favor of system security.

- The proliferation of embedded devices is bringing security and privacy issues to the fore. We must ensure that we have learned from past problems and proactively attempt to prevent them in the future.

- Search engines index a huge number of Web pages and other resources. Hackers can use these engines to make anonymous attacks, find easy victims, and gain the knowledge necessary to mount a powerful attack against a network. Further, search engines can help hackers avoid identification. One reason so few hacking attempts get reported is that there are so many of them. Tracerouting a hacker's IP address to its source often ends at a hop completely unrelated to the hacker's actual ISP or local network, which makes reporting the hacker to the upstream provider difficult. Search engines are dangerous largely because users are careless. In the age of DSL and broadband cable accounts, users often keep their machines turned on and connected to the Internet for days. Most of them would be shocked to find that potential hackers target their machines up to several times a minute. Most home-machine hack attempts seek to make their targets zombies in a distributed denial-of-service attack. Search engines make discovering candidate machines almost effortless. It isn't possible to secure all channels against hackers trying to penetrate a vulnerable system. But search engines needn't be wide-open channels that continue to help hackers find and penetrate weak systems.

- A growing number of embedded systems use security processors to distribute control, billing, and metering among devices with intermittent or restricted online connectivity. The more obvious examples include smart cards, microcontrollers used as value counters in postal meters and vending machines, and cryptographic processors used in networks of automatic teller machines and point-of-sale equipment to encipher customers' personal identification numbers. Recently, a whole new family of attacks has been discovered on the application programming interfaces these security processors use. These API attacks extend and generalize the known types of attack that target authentication protocols. Such attacks present valid commands to the security processor but in an unexpected sequence, thereby obtaining results that break the security policy its designer envisioned. Designing security APIs is a new research field with significant industrial and scientific importance. The poor design of present interfaces prevents many tamper-resistant processors from achieving their potential and leaves a disappointing dependency on procedural controls—the design of which involves subtleties likely to exceed the grasp of most implementers. It is unclear that a "generalized" API will work. The natural accretion of functionality presents security with one of its greatest enemies. Yet, getting the API right is relevant for more than just cryptoprocessors. The API is where cryptography, protocols, operating-system access controls, and operating procedures all come together—or fail to. It truly is a microcosm of the security engineering problem.

- The general-purpose computing environment that characterizes the PC and Internet was not designed for privacy or integrity. Surveying a variety of Internet targets and likely attackers, the author discusses how these systems can be hardened to survive attacks.

- Businesses of all sizes use the Internet for sales, purchasing, and collaboration. They all need reliable systems. Here are a few steps we can take now to ensure the security of software and thus to sustain the growth of Internet commerce.

- In today's heavily networked environment, you must guard against both obvious and subtle intrusions that can delete or corrupt vital data. Ideally, your security measures will allow critical system operation even when you're under attack.

- Computer security can be used as a vehicle to achieve accreditation goals for computer science and engineering programs, while at the same time engaging students with relevant, exciting topics. The authors' approach, based on educational outcomes, illustrates that security topics can contribute to an engineering program by fostering all skills required to produce graduates capable of critical thinking.

- The authors describe a message interface that provides high performance and low processor overhead, and features a robust protection model. They discuss this system in the framework of the multithreaded MIT M-Machine and show that—unlike other approaches—this system is able to avoid starvation while providing protection and maintaining high efficiency.

- Developing security methods for the Web is a daunting task, in part because security concerns arose after the fact. The authors offer a survey of Web security issues, focusing on particular areas of concern, such as server security, mobile code, data transfer, and user privacy.

Seattle Firewall - An ipchains-based firewall supporting ipip tunnels, IPSec, PPTP, and LRP. Easy configuration via configuration files and can be extended without modifying the released code. This is an Open Source Software project with no connection to Seawall, Inc. {(L)GPL}

At Sourceforge ( Production/Stable)

Bastille-linux - Bastille Linux is a Hardening Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling. It currently hardens Red Hat 6.0-6.2 and Mandrake 6.0-6.1. {(L)GPL}

At Sourceforge ( Production/Stable)

SocketWatch - SocketWatch is an anti-port scanning program. SocketWatch is configured to listen to specified ports, and if a connection is made from an unauthorized host, Ipchains is used to completely DENY the host. {(L)GPL}

At Sourceforge ( Production/Stable)

Heimdall Linuxconf Firewall - Simple to use internet firewall (distributed as part of Linuxconf). In the background (as a daemon) a net interface monitor based on a configuration in Linuxconf ( done by web, gui, client/server or text interface). {(L)GPL}